FedSmith.com Users Generally Dissatisfied with FRTIB’s Handling of TSP Data Breach

We asked our users to share their opinions with the recent news of the data breach within the TSP. Despite expressing dissatisfaction, a majority of users said it would not have an impact on their future TSP investments.

On May 25, the Federal Retirement Thrift Investment Board announced that a data breach had occurred in July 2011 resulting in the unauthorized access of the personal information of approximately 123,000 TSP participants. A computer belonging to Serco, a vendor used by the TSP, had been hacked, thus resulting in the unauthorized access of the files.

We asked our users if they thought the situation was handled well and if it had any impact on their opinion of investing in the TSP.

Despite being generally dissatisfied with the way the FRTIB handled the situation, a majority of respondents said the data breach will not have any impact on their future TSP investments. However, an overwhelming number also said that they are less confident in the ability of the TSP program to keep their personal information secure.

A summary of the questions and the answers of the almost 2,800 individuals who participated in the survey follow below.

Responses from TSP participants  
Do you know if your information was part of the data that were compromised?  
Yes 5.2%
No 94.8%
Have you been contacted by the FRTIB regarding this incident?  
Yes 6%
No 93.8%
Will this event have any impact on your future TSP investments?  
Yes 33.7%
No 66.3%
Questions posed to all respondents  
Do you feel that the response by the FRTIB has been helpful?  
Yes 20.4%
No 79.6%
Do you think the FRTIB responded in a manner that will retain the confidence of TSP investors?  
Yes 17.8%
No 82.2%
Does the breach affect your confidence in the ability of the TSP program to keep your personal information secure?  
Yes, I feel less confident 84.6%
No, I believe it is secure 15.4%

Comments we received on the survey indicated that many respondents felt that the announcement about the breach should have been made much sooner than it was. According to FRTIB external affairs director Kim Weaver, the data were at first unreadable and took some time to decipher and detect that there was in fact a breach.

Weaver also said in a statement to FedSmith.com:

We have sent letters to the roughly 123,000 affected individuals.  We have not shared the letter widely because they are intended for the affected participants.  We are trying to avoid having the more than four million unaffected individuals contact Kroll, the firm that we selected to provide a comprehensive suite of services to the affected individuals. The letters contain information pertinent to assisting the affected individuals and any wider distribution could affect the level of service available to them.

The service provides alerts that make the participants aware of key changes in a credit file that could indicate the kind of unauthorized activity commonly associated with identity theft and fraud.  Kroll also will provide fraud resolution assistance, if necessary.  Affected persons will receive an activation code in their notification letter. To enroll, individuals must call Kroll or enroll online.

If the unaffected individuals have questions, they can contact our regular call centers, as they are already doing.

A few randomly selected comments from the survey are included below.

  • I didn’t even know about the breach until I saw it in FedSmith
  • I still want to know why it happened April 2011 and this is May 2012 when we’re told about it and we still don’t know who was affected.
  • slightly less confident largely due to the tremendous time lag between when the incident reportedly occurred and when investors were informed (if your stories are to be believed). This should have been treated with much more urgency. Our agency said they didn’t know who was affected, but that if employees were affected, we’ll receive a letter. Articles I have seen suggest affected employees probably already have these letters, so others probably can assume that this particular incident didn’t involve them.
  • The simple fact that the TSP online password requirements only allow an 8 digit password with letters and numbers tells you how archaic the site is. Every other site requires much more complex/robust passwords. I don’t feel the site is secure from hackers based on that fact alone.
  • The breach was in july of 2011…Why did it take 8 months for the TSP to discover and another almost 2 months for everyone to be notified? It seems that there was damage control in place prior to us being notified of the breach.
  • Why aren’t companies who do not take the necessary security steps to secure online personal info held legally accountable for there actions ?
  • I have always been afraid that something like this would happen. I am afraid that something of this nature will happen when our complete files goes electronic, there are people just waiting for this new same money effort is complete. Our government is not being cost effective when they deceide to go electronically, this is why I stopped investing in saving bonds.
  • They should offer the year of free credit monitoring to all TSP participants not just the ones they think they know about.
  • While I say it won’t affect my investing since it’s an automatic withdrawal from my paycheck, I might make changes. Why were “third party” computers involved? Why isn’t TSP information kept on TSP computers? Why is “secure” information passed about outside the TSP computer system? Why do I have to now sign up with Kroll [at no cost to me] and provide my personal information instead of TSP authorizing them to provide ID TheftSmart service to at least those accounts affected by this breach? It now becomes my responsibility to do what TSP should have done all along in “secure” TSP accounts: PROTECT MY PERSONAL INFORMATION! What criteria determined which accounts were hacked?
  • Data breaches must be accompanied by stiff fines. I/we now have to worry every day if our identity has been comprised. Who is paying me and the others for the extra time We have to spend checking our accounts.
  • How do they know it was a foreign government who hacked it? With the current hate campaign against federal employees, it seems just as likely that it might be our fellow citizens targeting us.
  • So now I have to look over my credit report shoulder for the rest of my life because my SSN was compromised. I can just imagine that all that info is being sold on the black market as I write this and someday when I file to start recieving Social Security I will be told “There seems to be a problem”. Then the IRS will be holding their hand out for unpaid taxes on income I never made but that was credited to my SSN. FRTIB recommend that I place a fraud alert on my credit file which brings other complications into my life. My TSP account has also been placed on alert and will be monitored for “unusual” activity. I’ve been in the dark about this for the last 11 months. Why?
  • Cancell SERCO contract. Cancell all Federal Government out source contracting and put back in house. Put people back to work, who pay taxes, and improve the country’s economy.
  • just received my notification in the mail yesterday. an email from them notifying me would have been great.free IDTheftSmart for one year is great as long as they can guarantee the info will be used within that time period. they can’t do that.
  • I have no clue if I was part of the breach as I haven’t received a letter yet which doesn’t mean I won’t receive one. I think the communication as to who was affected and who wasn’t should have been more concise and faster. I think emails to our work accts would also be necessary as mail is not always responsibly or accurately delivered. There should be a website set up so that we can plug our names in to see if we were one of those affected.
  • Because of this incident I will withdraw my entire balance upon retirement. If I could wipe my information from their computers entirely I would do so.
  • The FRTIB may have provided sufficient information but I haven’t seen it. If it’s out there and I see what they have to say, it may affect how I would have resopnded to this survey. In the meantime though, I am very concerned.
  • FRTIB should use the email notification system that sends us monthly updates to inform us of -who was effected -what will be done in the future to stop this -give us free identity protection for three years We only hear about this from other sources.

About the Author

Ian Smith is one of the co-founders of FedSmith.com. He has over 20 years of combined experience in media and government services, having worked at two government contracting firms and an online news and web development company prior to his current role at FedSmith.